[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [michael.holstein@csuohio.edu: Re: Anonymity questions]

On Wednesday, 22. February 2006 20:34, Eugen Leitl wrote:
> clean in the water). Arguably, StartTLS already does for SMTP -- if
> only it was enabled by default, using self-signed certs.

German Language observation of MITM attack on STARTTLS command string

"For those that do not understand: the first route is via a direct peering
between hetzner and metabone. The second route is via British Telecom, Cable
and Wireless and Noris (but physically completely in Germany). The first
route shows a typical Exim-SMTP-Banner advertising encryption capability
("STARTTLS"). When connection via the second route, the STARTTLS capability
has been replaced with letter X, and the target exim also does no longer
accept STARTTLS. Obviously a snooping device has decided to intercept and
blocks SMTP encryption capabilities. What is the lesson here? Don't do away
with PGP. Then they can block delivery, but won't get to the plain text.

There are transparent Spam- and Virus-Filters available on the market which
work similarly. But then the server will act identically for each route.

Another detail: Why is the STARTTLS not being filtered, but Xed out? Because
this is TCP. If you change the amount of data, you'll have to track the
datastream and fix offsets in all packets. That's a lot more work to do.
Because they did it that simple, it is clear that this is not a proxy,
because it would act on a higher layer and would have gained no advantage
from this approach (Thanks nibbler for the pointer)

See here: http://nibbler.de/tkuev (nibbler.de is no longer available)

Kristian =?iso-8859-15?q?K=F6hntopp?= <kris@xxxxxxxxxxxxxxxxxx>